Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mdf



2027 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

Topic # 240374 4-Sep-2018 22:16
Send private message quote this post

TL;DR version: recommendations as to reverse proxies for web app docker containers please. Emphasis on straightforward/good documentation rather than performance etc.

 

I am *very* new to web applications, but am trying to teach myself something new (more for the sake of it that anything; no specific projects in mind). There are a few web apps I've used previously without docker containers; right now, I am trying to figure out how to deploy the same apps inside containers. As I understand it, I need a reverse proxy to route traffic to the correct container.

 

I've had a look at both Apache and Nginx (as the web servers even I had heard of) and also have come across traefik.io, which seems to be designed for docker containers. However, the guides I've found seem to start of simple enough but then take off on a very steep learning curve that is beyond me so far (exhibit A: https://www.digitalocean.com/community/tutorials/how-to-use-traefik-as-a-reverse-proxy-for-docker-containers-on-ubuntu-16-04 - I did sort of get this one working, but did something wrong on the Let's Encrypt implementation).

 

Recommendations to help me stop flip flopping between options? Or particular guides/how tos/tutorials that you've found particularly helpful?


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
Amanzi
895 posts

Ultimate Geek
+1 received by user: 97

Trusted
Subscriber

  Reply # 2084113 4-Sep-2018 23:26
Send private message quote this post

I'd recommend learning Nginx first. Works great as a reverse proxy as well as a regular webserver. There are lots of tutorials out there, especially the LEMP tutorials on the Digital Ocean site. You don't need to run Nginx in a Docker container - you can just run it on the host and then use port forwarding on your Docker containers to determine where the traffic should go. But once you're comfortable working with Nginx it's easy to take what you've learned and bundle it up into a container.

568 posts

Ultimate Geek
+1 received by user: 109


  Reply # 2084128 5-Sep-2018 05:51
Send private message quote this post

+1

 

NGINX contains a reverse proxy.

 

*Example*

 

 





No backup, no pity. Anyway, RAID isn't one.


 
 
 
 


3678 posts

Uber Geek
+1 received by user: 1389

Subscriber

  Reply # 2084134 5-Sep-2018 06:54
Send private message quote this post

Nginx!!!

Lots of the common "web apps" even have demo configs for Nginx in their wiki's.

To get started though, I found one of digital oceans guides very helpful.

@michaelmurfy helped with a config for the Unifi controller too.

Mr Snotty
8075 posts

Uber Geek
+1 received by user: 4051

Moderator
Trusted
Lifetime subscriber

  Reply # 2084151 5-Sep-2018 07:55
Send private message quote this post

I'm guilty with not using NGINX where I should just because I know Apache so well - but either one will work for you.

 

With me, I've got a Debian VM running on my UnRaid server acting as both an Apache server and a reverse proxy. It hosts multiple sites.

 

An example of a site hosted from my home server is https://quake.murfy.nz - the Quake site is running in Docker (on the VM - I didn't want it on my local UnRaid server). The configuration for it (in /etc/apache2/sites-available/quake.conf) is as follows:

 

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName quake.murfy.nz
ServerAdmin michael@murfy.nz
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Header unset X-Powered-By
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
ProxyPreserveHost On
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule /(.*) ws://127.0.0.1:49160/$1 [P,L]
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://127.0.0.1:49160/
ProxyPassReverse / http://127.0.0.1:49160/
SSLCertificateFile /etc/letsencrypt/live/home.murfy.nz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/home.murfy.nz/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

 

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

 

A few things to note in this configuration:
1) You're needing to run "a2enmod proxy_http" and "a2enmod proxy" - since I am using Websockets with this app "a2enmod proxy_wstunnel" is needed too. This enables these modules in Apache.
2) The RewriteRules are for the websocket connections running on quake. You can omit this if your app doesn't use websockets (inspect this using the Chrome inspect tool).
3) I am using LetsEncrypt for this so have rules to allow access to /.well-known/acme-challenge hosted in /var/www/html - this means LetsEncrypt can renew the SSL certificate for this site without just hitting the Proxied site every time it checks.
4) All my sites don't listen on Port 80 - they're SSL only. It is a good practice to get in to. I've got a strict transport policy set on all my sites with preloading enabled on my root domain (murfy.nz) so it is all HTTPS only.
5) The SSLCertificateFile and SSLCertificateKeyFile links to the LetsEncrypt keys on the server for SSL. I've got other sites hosted (for example - https://home.murfy.nz).
6) I've got a Cron job to automatically renew LetsEncrypt and reload the Apache configuration when that time comes. This updates the SSL on all domains hosted on this server.

 

For beginners - I think Apache is easier to configure and works just as well. The configuration for NGINX running on the UniFi server to achieve the same thing is much much bigger. NGINX is fast, but Apache is almost just as fast in most cases. I've got a site that gets over 2mil hits per day that uses Apache for example.

 

My VM on UnRaid is simply a Debian 9 VM running with 512mb of ram, it also runs a few things locally in Docker just to prevent potentially exposing my NAS to the internet. I however don't see any issues with running something like NextCloud on the NAS docker and using a VM to reverse proxy it (which I assume is what you're trying to do). With NextCloud omit the RewriteCond in bold as you don't need websockets proxied.

 

@mdf feel free to flick me a message at any time if you'd like me to configure some virtual servers on Apache or NGINX so you can then reuse the configuration for other things. Quite happy to help out if you're unable to figure it out.





265 posts

Ultimate Geek
+1 received by user: 95


  Reply # 2084155 5-Sep-2018 08:09
Send private message quote this post

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

 

 


922 posts

Ultimate Geek
+1 received by user: 285

Trusted

  Reply # 2084163 5-Sep-2018 08:40
Send private message quote this post

Was using NGINX but have moved to HA proxy.

 

http://www.loadbalancer.org/blog/nginx-vs-haproxy/

 

 

 

Hell for testing you can even containerise the proxy. 

 

 

 

FROM haproxy:1.7

 

 

COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg

 






73 posts

Master Geek
+1 received by user: 6


  Reply # 2084180 5-Sep-2018 09:32
One person supports this post
Send private message quote this post

https://traefik.io/


499 posts

Ultimate Geek
+1 received by user: 132


  Reply # 2084214 5-Sep-2018 10:28
Send private message quote this post

marpada:

 

This cuts if for me https://github.com/jwilder/nginx-proxy , in combination with https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion for generating Let's Encrypt certs.

 

 

 

 

^ this. It's what I do, and works great.


mdf



2027 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

  Reply # 2089925 13-Sep-2018 11:53
Send private message quote this post

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

 

There are bound to be follow up queries the deeper I get into this.


Mr Snotty
8075 posts

Uber Geek
+1 received by user: 4051

Moderator
Trusted
Lifetime subscriber

  Reply # 2089932 13-Sep-2018 11:59
Send private message quote this post

mdf:

 

Thanks all. I've kept plugging away at this and seem to be making some progress! traefik.io seems to be the winner so far - once I cracked it (I think - figuring out how the labels worked was key) it seems to be the most straightforward, albeit perhaps not with the best documentation for absolute n00bs. If anyone else stumbles across this thread looking for similar advice, this howto was probably the best introductory one I found (although some of the screen caps seem to be out of order): https://www.howtoforge.com/tutorial/ubuntu-docker-traefik-proxy/

 

There are bound to be follow up queries the deeper I get into this.

 

Excellent - may need to try traefik. Looks quite good!





76 posts

Master Geek
+1 received by user: 19


  Reply # 2091283 16-Sep-2018 02:28
Send private message quote this post

HAProxy is the way to go, especially if you're dealing with WebSockets etc. They posted a great article the other day https://www.haproxy.com/blog/introduction-to-haproxy-acls/


mdf



2027 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

  Reply # 2092891 18-Sep-2018 21:57
Send private message quote this post

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

 

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

 

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

 

This is very much still just in the learning experimenting phase. I don't have specific use cases in mind, beyond having a server run a few web apps that I can then muck around with without fear of consequence when I break something important. I am not silly enough to actually use anything I build myself for any kind of live/important deployment.


499 posts

Ultimate Geek
+1 received by user: 132


  Reply # 2092899 18-Sep-2018 22:06
Send private message quote this post

mdf:

 

It's coming along! Now if only I could get the number of leading spaces required in the docker-compose.yml file right the first time...

 

 

The number of spaces doesn't matter, as long as it is consistent at the same level. That, not not mixing tabs and spaces (been there, done that :) )

 

mdf:

 

As a matter of good/best practice, just wondering what others do for web apps requiring databases? Some containers I've been experimenting with include a SQL database in that container, some require an "external" database (which I've been setting up as a separate container), and some have the option of either.

 

For separate database containers, would you set up a dedicated container for each database, or use a common database - e.g. WordPress container 1, WordPress container 2 and MediaWiki container 1 speaking to the same database container, or a dedicated database container for each?

 

 

Definitely a separate container for your databases. Having your database in the same container as the app is the docker way™. The only time I would use a database in an application container is a SQLite database, since that doesn't have a daemon running.

 

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique. 


mdf



2027 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

  Reply # 2092904 18-Sep-2018 22:14
Send private message quote this post

stinger:

 

As for one db container or one container per database, it's a personal preference. In my environment, I have a separate container for each database. Makes it a lot easier for docker-compose.yml as each database is unique. 

 

 

Thanks @stinger. If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?


499 posts

Ultimate Geek
+1 received by user: 132


  Reply # 2092905 18-Sep-2018 22:25
One person supports this post
Send private message quote this post

mdf:

 

If I can steal another page from your playbook, how do you set up passwords for each database? Use a secrets file or just chuck it in the docker-compose environment? And distinct passwords for each database or one really secure one?

 

 

I have the database password in my docker-compose file (by setting .POSTGRES_PASSWORD in the environment). Given that the password needs to be stored unencrypted in the application container (or mounted to that container), I don't see any real benefit in trying to hide the password in the yml file (by using docker secrets for example). All my database passwords are random 24 character strings (generated with "pwgen 24 1"), and are different for each database. Of course you must trust everyone that has shell access on the docker host, but in my case, that is me, myself and I :)


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.